Security of Modbus Data Packets Against "Man-in-the-Middle" Attacks

S

Thread Starter

sritam paltasingh

Dear Sir/Madam,

I am using libmodbus API to communicate between the server and client devices via Modbus TCP. Everything is working fine. But I have the following additional requirement which is not supported by libmodbus:

1. The Modbus data packets transferred between the server and client are done on an open port, which is specified during the Modbus socket/context creation. As the port is open the data packets transferred are vulnerable to all types of attacks with the most common being the "man-in-the-middle-attack".

2. If the server and client are in private LAN/WAN network then there is no need of security of Modbus data packets on the open port.

3. But if the server and client are communicating via the public internet, then rogue devices can sniff the data by connecting to the network and hack all sorts of information.

4. The help that I require is that: Is there any library implementation of Modbus TCP which adds security to data packets transferred between server and client. Or is there any TLS wrapping on top of libmodbus data packets to provide security?

Please help me with your valuable advise and suggestion.

Thanks and Regards,
Sritam Paltasingh.
 
MODBUS and MODBUS/TCP were not designed with any sort of security in mind. If security is a concern, you must use an intermediary to provide it, i.e. some sort of VPN or SSH bridging devices to encrypt the data in transit.

This is not to say that there are not proprietary implementations available that add a security layer to the protocol - it would not be difficult to do - but the original protocol doesn't even have hooks for security - one of its big benefits from the implementation and troubleshooting standpoint is its simplicity.

Just off the top of my head, I can think of a quick way to do it without hardware on the Windows or *nix end of the connection using the port bridging function of SSH, but that won't work on the field/device end unless there is a PC there.
 
Hi Sritam,

You may want to review the "MODBUS Security Protocol" specification at http://modbus.org/specs.php for the recent addition of TLS to the MODBUS TCP spec.

I'm investigating this for implementation on an electricity meter, but I'm not aware of any software libraries available yet.

Dennis
 
One option would be to only run Modbus on the Intranet and use a bridge (using a different protocol) when communicating over the Internet.

Communicating over the Internet is much easier if all devices and computers on the Intranet act as clients and when using an online cloud server as a proxy to manage all communication. The following may be of interest to you:

https://realtimelogic.com/products/modbus/
 
This is not to say that there are not proprietary implementations available that add a security layer to the protocol.
 
Top